Introduction

The author of  Regview V2.21a says :

"RegView not only provides almost all the features which "RegEdit" has but also adds some very useful features which "RegEdit" misses, such as select root or whole registry for registry key or value search, replace and delete with one single search and which can also combine with multiple keyword string search. Also includes Copy, Cut, Paste, Undo, Redo, Bookmark, Note and other very useful registry editing functons."
 

About this protection system

This program protected with 30 trial uses that beeing counted in the About Screen each time we run it. The registration screen appears after using those 30 trials.

We can fire up the program now 30 times, or, we can delete the entry in the registry
file that was created on first run, if you know how. The name of it is :

HKCU\Software\Vchiu's Software

After that, fire up Regview again, we get now a screen that show us that :
"Maximum number of trials has been reached! to continue use of this ...."
If we push the "ok" button, we get the registration screen, push the "cancel" button,
will shut Regview.

The Sandman wrote about Regview v2.21 :  "Had I sniffed out the serial number then I would not have known or learned about the efforts the programmers had used to make sure their program was 'tamper proof' against novice or inexperienced crackers such as you and me".

I think that the author read Sandman's essay, and changed the protection system. From my point of view, he made Regview v2.21a more *crackeble*. :)
 

The Essay

I will show here 2 methods for crack this program :
1 - patch the program to stop the count of the trial uses.
2 - sniffing out the real serial number.

Method 1 : patch the program to stop the count of the trial uses.

Create a dead list of Regview. in the Data String Reference look for the string :
"Maximum number of trials has been reached! to continue use of this ....".
Double click on it and here is the code we're interested in :

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048D8DF(C), :0048D8F0(C)
|
:0048D92A 6A00                    push 00000000
:0048D92C 668B0DBCDB4800          mov cx, word ptr [0048DBBC]
:0048D933 B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Maximum number of trials has been "
                                        ->"reached!
                                  |
:0048D935 B8C8DB4800              mov eax, 0048DBC8
:0048D93A E8697EFCFF              call 004557A8
:0048D93F 48                      dec eax
:0048D940 755A                    jne 0048D99C
:0048D942 A1F8D44900              mov eax, dword ptr [0049D4F8]

We can see that we came here from 1 of 2 conditional jumps. This one is from location 0048D8DF. After some tests, i found that finaly we came to this jump from this part of the program :

:0048D7B7 E86896FCFF            call 00456E24
:0048D7BC 84C0                  test al, al
:0048D7BE 0F84E5010000          je 0048D9A9
:0048D7C4 BAA8DB4800            mov edx, 0048DBA8
:0048D7C9 8B45F8                mov eax, dword ptr [ebp-08]
:0048D7CC E85B9CFCFF            call 0045742C
:0048D7D1 8B1550D34900          mov edx, dword ptr [0049D350]
:0048D7D7 8902                  mov dword ptr [edx], eax
:0048D7D9 A150D34900            mov eax, dword ptr [0049D350]
:0048D7DE 81280BFFFFFF          sub dword ptr [eax], FFFFFF0B
:0048D7E4 A150D34900            mov eax, dword ptr [0049D350]
:0048D7E9 81387CF8FFFF          cmp dword ptr [eax], FFFFF87C
:0048D7EF 750D                  jne 0048D7FE        ; go check trial uses
:0048D7F1 A104D34900            mov eax, dword ptr [0049D304]
:0048D7F6 C60001                mov byte ptr [eax], 01  ; registered = 01
:0048D7F9 E987020000            jmp 0048DA85      ; no more checks needed

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048D7EF(C)
|
:0048D7FE A150D34900            mov eax, dword ptr [0049D350] ; trial used
:0048D803 83381E                cmp dword ptr [eax], 0000001E ; = 30 ?
:0048D806 7F0E                  jg 0048D816       ; jump show "maximum..."
:0048D808 A150D34900            mov eax, dword ptr [0049D350]
:0048D80D 833800                cmp dword ptr [eax], 00000000
:0048D810 0F8DBF000000          jnl 0048D8D5      ; jump show "maximum..."

From the code above we can see that all the checks to the trial uses is done here.
so lets go to see how we can do the prog to jump over it.

1. Fire up Softice by pressing CTL-D.
2. Type: bpx hmemcpy then x to leave Softice.
3. Run Regview.
4. Softice now breaks at the beginning of the 1st hmemcpy function.
5. press F12  eight times
    we are in Regview code
    Type: bc * to clear all other break points
    Type: bpx 48d7bc then x to leave Softice, softice will break again
    Type: d 48d7bc, this line will show up in top of the data window
    Type: e and press Enter, overwrite eb 38 on the 84 c0 end press Enter.
    the instruction "test al, al" changed to "jmp 0048d7f6", press x.....
 
 In the last version (v2.21), at this point we've got the message :

"This file is corrupt. Please download and install RegView again."

BUT NOW, thanks god, we are in Regview, the only thing is, that the About Screen will show us : "unregistered version - 30 more trials left !"   FOR EVER.

To avoid this message we will go to the second method.

Method 2 : sniffing out the real serial number.

Fire up the program, click "ok" on "maximum number..." and fill in your name and any
registry key. after pressing "ok" we got the error message : "Wrong register key !"
Go look for it in your dead list. You will find this string 5 times, but the one that is
active is at location 0048d985 :

* Possible StringData Ref from Code Obj ->"Maximum number of trials has
                                        ->"been reached!
                                  |
:0048D935 B8C8DB4800              mov eax, 0048DBC8
:0048D93A E8697EFCFF              call 004557A8
---------   snip  snip  --------
:0048D94B FF92CC000000            call dword ptr [edx+000000CC] ; !!!
:0048D951 A104D34900              mov eax, dword ptr [0049D304]
:0048D956 803800                  cmp byte ptr [eax], 00
:0048D959 741F                    je 0048D97A     ; jump to "wrong reg key"
:0048D95B B987F7FFFF              mov ecx, FFFFF787
 
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048D959(C)
|
:0048D97A 6A00                    push 00000000
:0048D97C 668B0D30DC4800          mov cx, word ptr [0048DC30]
:0048D983 33D2                    xor edx, edx

* Possible StringData Ref from Code Obj ->"Wrong register key!"
                                  |
:0048D985 B83CDC4800              mov eax, 0048DC3C
:0048D98A E8197EFCFF              call 004557A8
:0048D98F 8B45FC                  mov eax, dword ptr [ebp-04]
:0048D992 E8C9DEFBFF              call 0044B860
:0048D997 E9E9000000              jmp 0048DA85

We are jumping to the wrong key when we are coming back from the call at :

:0048D94B FF92CC000000            call dword ptr [edx+000000CC]

Inside this call there are many sub calls that handles the reg window, generating real code and checking both codes. let go into softice to follow it.

1. Fire up Softice by pressing CTL-D.
2. Type: bpx hmemcpy then x to leave Softice.
3. Run Regview.
4. Softice now breaks at the beginning of the 1st hmemcpy function.
5. press F12  eight times
    we are in Regview code
    Type: bc * to clear all other break points
    Type: bpx 487c17 then x to leave Softice, softice will break again
    Click "ok" on "maximum number..." and fill in your name and any registry key.
   Softice now breaks at the location 487c17.

Here is the code :

:00487C14 8B45F4              mov eax, dword ptr [ebp-0C]
:00487C17 8D55F8              lea edx, dword ptr [ebp-08] ; we land here !
:00487C1A E821F8FDFF          call 00467440           ; generate real code
:00487C1F 8B55F8              mov edx, dword ptr [ebp-08] ; real code add.
:00487C22 58                  pop eax                     ; fake code
:00487C23 E838C2F7FF          call 00403E60               ; checks codes
:00487C28 7508                jne 00487C32                ; fake code? jump
:00487C2A A104D34900          mov eax, dword ptr [0049D304]
:00487C2F C60001              mov byte ptr [eax], 01

Press F10 4 times, type "d edx" and you can see the real registry key in the data window.
The minimum length of your name should be more then 4 characters, and the real
registry key is a large alfanumeric key.
I think that instead of just sniff the key, go into the calls (with F8) in locations 487c1a and 487c23, and look how it get created and checked. it's worth the time it takes !!
 
 

The Patches

 
Load up Regview.exe into your Hex-Editor ( I use hexWorkshop-32).

For method no. 1 :
 
SEARCH FOR THE FOLLOWING BYTES : FCFF84C00F84E5
REPLACE WITH HIGHLIGHTED BYTES : FCFFEB390F84E5
 
For method no. 2 :

Nothing is needed.
 

REMEMBER, i'm doing my cracks as a hobby and challenge, so please, if you like
this utility and want to keep using it, support the author and pay for it.
 
 
 

Final Notes

Some times when a new version is released, it is a good challenge to look if there any
changes made to the protection system, and to try to learn new ways to crack it.

BONUS : if we 'nop' the jne 00487C32 at location  00487C28, the program will register it self, regardless what reg key we put in... :)

My thanks and gratitude goes to:-
 
The Sandman for all what he is doing for us, newbies.
 
Rhayader for helping me with Reverse Code Engineering and
useful tips